Monday, February 26, 2007

David posted earlier an article written by Eric Allman for the ACM queue that discusses typical cases of how security bugs in software are dealt with. Now as I read this I noticed (and perhaps you did too) that a few paragraphs in is the following not-so-subtle advertisement link:

"Visual Studio 2005. Over 400 new features, the difference is obvious."

I found myself chuckling out loud in my cubicle at the irony in that advertisement when taken with the lead-in quote at the top of the article:

"A sad truism is that to write code is to create bugs (at least using today's software development technology)"

I'd like to believe that by that ad placement, someone was trying to raise an interesting question in a humorous way: How many security vulnerabilities are introduced into code through new features, and of these new features how many should have really been added? It seems to me that many software releases, whether they be minor revisions, service packs, or brand new major versions, are a race to cram as much crap (disguised not-so-cleverly as "features") as possible into the product before the release date.

With each new release comes a whole new slew of vulnerabilities that previously did not exist,. This, of course, ties back in to one of the points made in the article about software bugs being inevitable. I just wonder how many of them are there as a result of features that have no real business cases driving them or could have been pushed out to later release where more though and care could have been taken in their development.